Memory Injection And Cracking

In this article I'm going to show you how to change value of variable during run time. There are many tools around how to do this easily, but I will focus on the way doing it programatically, specifically using C language.

Now we will try to change the password to some another. Ok, so open the test.exe and let it run. It should look like this:

Now, we have to find out the memory address, where the password is stored. We will do it with Cheat Engine, but there are many other tools for this. So let's open Cheat Engine and click on the computer. It should look something like this:

Now click on that flashing computer. This should appear:

Now search for test.exe and click "Open". Well, we have successfully opened our process memory! Let's go further!

Fill the search properties like this, and click "First scan". In the left table should appear the string "lol" with exact memory address.

Well, now copy the memory address to some safe place, cause we will need it later!
Of course we could change the memory value right now with Cheat Engine, but this article is not dealing "how to use Cheat Engine", we will do this stuff programatically.

So our address is : 0022FF6C

We will change the memory address value with WriteProcessMemory() function.
Here is the code:

Here is what we will use : MemoryValueChange("test.exe", (void*) 0x0022FF6C, 102, 4)

1st argument is the process name, in our case it's test.exe

2nd argument is the memory address, don't forget to add 0x before it!

3rd argument is the value we want it to be changed to, the function works with int , because I had some difficulties with getting it into char... So, it will work with HTML char table (http://www.asciitable.com), for example no.102 in HTML table is char "f".

4th argument is a type of value, in our case, we can let it at 4 bytes.

Ok, so our app called test.exe is still running, now compile and run procmem.exe!

Once you are done, something like this will appear:

Well done, the memory has been changed!

Ok, now you can close procmem.exe and look on our test.exe.

Try to login with password as is in our code when we complied it, it's "lol".

But what happend??? You cannot login? Yeah, right!

The password has been chaged to HTML(102) = "f".

So try to login with "f"!

Voila!!! You are welcomed lord

And how to protect? You can use VirtualProtect function, but I'm not going to explain how to use it in this tutorial, maybe later

But I can show you some tricks! Like protecting yourself from Cheat Engine:

Yes, we have ptrace (instruction level tracing) , which can employ an anti debugging scheme (using PTRACE_TRACEME) but usually this is quite easy to bypass using utilities such as GDB , Check here , basically till date we don't have any solutions which can protect your software from crackers (scripting's solution was quite rudimentary and can be easily bypassed , any cracker with some Assembly knowledge can simply use debuggers such as olly etc. and disable/delete that instruction). By employing these techniques we can only make it difficult for a cracker.

For some examples on cracking in linux , you can have a look at my tutorial series of crack me's.

Yes, we have ptrace (instruction level tracing) , which can employ an anti debugging scheme (using PTRACE_TRACEME) but usually this is quite easy to bypass using utilities such as GDB , Check here , basically till date we don't have any solutions which can protect your software from crackers (scripting's solution was quite rudimentary and can be easily bypassed , any cracker with some Assembly knowledge can simply use debuggers such as olly etc. and disable/delete that instruction). By employing these techniques we can only make it difficult for a cracker.

For some examples on cracking in linux , you can have a look at my tutorial series of crack me's.

Exactly, thanks for explanation instead of me Btw. It was my intention to make it rudimentary, so even a beginners can understand